DRb Inside Stored Procs
A message from Tim Sutherland of the Ruby Weekly News. He alerts us to an hack in which Ruby’s
$SAFE is set to zero inside the
PL/Ruby module for PostgreSQL (which allows one to write Ruby inside stored procedures.) This means: anything.
But more specifically:
SELECT redcloth('*strong text* and _emphasized text_');
The culprit here is Robby Russell. You bandits lick this stuff up like it’s perfumed peanut butter. The DRb jammed inside Postgres example is v. funny. He gives a good case for using RedCloth inside PostgreSQL—so he can use it from PHP. It works better than Parrot I guess. SQLite will let you hook Ruby methods like this as well. (Disclaimer: I am not on the board of advisors for Parrot.)